The UK’s Information Commissioner’s Office (ICO), in a decision dated December 11, 2025, imposed a fine of £1.2 million (approximately €1.375 million) on a British company that provides password management services for a serious data breach that occurred in 2022.

The case involves two separate incidents which, combined, allowed a hacker to access the company’s backup database and steal personal information from up to 1.6 million customers, including names, email addresses, phone numbers, and stored website URLs.

Although the “zero-knowledge” encryption system prevented the decryption of passwords, the failure to implement adequate security measures left personal data exposed. The unauthorized access was made possible by the compromise first of the company’s laptop and then of an employee’s personal device, which contained the decryption key. The breach was deemed severe due to its scope, the categories of data involved, and the failure to adopt sufficiently adequate security controls.